Type/Severity

Topic

The Red Hat Security Response Team has rated this update as havingimportant security impact. Common Vulnerability Scoring System (CVSS) basescores, which give detailed severity ratings, are available for eachvulnerability from the CVE links in the References section.

[Update 6 December 2010]The package list in this erratum has been updated to include the kernel-docpackages for the IA32 architecture.

Description

The kernel packages contain the Linux kernel, the core of any Linuxoperating system.

Security fixes:

A flaw in sctp_packet_config() in the Linux kernel's Stream ControlTransmission Protocol (SCTP) implementation could allow a remote attackerto cause a denial of service. (CVE-2010-3432, Important)

A missing integer overflow check in snd_ctl_new() in the Linux kernel'ssound subsystem could allow a local, unprivileged user on a 32-bit systemto cause a denial of service or escalate their privileges. (CVE-2010-3442,Important)

Red Hat would like to thank Dan Rosenberg for reporting CVE-2010-3442.

Bug fixes:

Forward time drift was observed on virtual machines using PMtimer-based kernel tick accounting and running on KVM or the MicrosoftHyper-V Server hypervisor. Virtual machines that were booted with thedivider=x kernel parameter set to a value greater than 1 and that showedthe following in the kernel boot messages were subject to this issue:

time.c: Using PM based timekeeping

Fine grained accounting for the PM timer is introduced which eliminatesthis issue. However, this fix uncovered a bug in the Xen hypervisor,possibly causing backward time drift. If this erratum is installed in XenHVM guests that meet the aforementioned conditions, it is recommended thatthe host use kernel-xen-2.6.18-194.26.1.el5 or newer, which includes a fix(BZ#641915) for the backward time drift. (BZ#629237)

With multipath enabled, systems would occasionally halt when thedo_cciss_request function was used. This was caused by wrongly-generatedrequests. Additional checks have been added to avoid the aforementionedissue. (BZ#640193)

A Sun X4200 system equipped with a QLogic HBA spontaneously rebooted andlogged a Hyper-Transport Sync Flood Error to the system event log. AMaximum Memory Read Byte Count restriction was added to fix this bug.(BZ#640919)

For an active/backup bonding network interface with VLANs on top of it,when a link failed over, it took a minute for the multicast domain to berejoined. This was caused by the driver not sending any IGMP join packets.The driver now sends IGMP join packets and the multicast domain is rejoinedimmediately. (BZ#641002)

Replacing a disk and trying to rebuild it afterwards caused the system topanic. When a domain validation request for a hot plugged drive was sent,the mptscsi driver did not validate its existence. This could result in thedriver accessing random memory and causing the crash. A check has beenadded that describes the newly-added device and reloads the iocPg3 datafrom the firmware if needed. (BZ#641137)

An attempt to create a VLAN interface on a bond of two bnx2 adapters intwo switch configurations resulted in a soft lockup after a few seconds.This was caused by an incorrect use of a bonding pointer. With this update,soft lockups no longer occur and creating a VLAN interface works asexpected. (BZ#641254)

Erroneous pointer checks could have caused a kernel panic. This was dueto a critical value not being copied when a network buffer was duplicatedand consumed by multiple portions of the kernel's network stack. Fixing thecopy operation resolved this bug. (BZ#642746)

A typo in a variable name caused it to be dereferenced in either mkdir()or create() which could cause a kernel panic. (BZ#643342)

SCSI high level drivers can submit SCSI commands which would never becompleted when the device was offline. This was caused by a missingcallback for the request to complete the given command. SCSI requests arenow terminated by calling their callback when a device is offline.(BZ#644816)

A kernel panic could have occurred on systems due to a recursive lock inthe 3c59x driver. Recursion is now avoided and this kernel panic no longeroccurs. (BZ#648407)

Users should upgrade to these updated packages, which contain backportedpatches to correct these issues. The system must be rebooted for thisupdate to take effect.

Solution

Before applying this update, make sure all previously-released erratarelevant to your system have been applied.

This update is available via the Red Hat Network. Details on how touse the Red Hat Network to apply this update are available athttp://kbase.redhat.com/faq/docs/DOC-11259

To install kernel packages manually, use "rpm -ivh [package]". Do notuse "rpm -Uvh" as that will remove the running kernel binaries fromyour system. You may use "rpm -e" to remove old kernels afterdetermining that the new kernel functions properly on your system.